Snort Rule
What is Snort Rule?
Snort RuleA signature in the Snort intrusion-detection rule language that describes network traffic patterns to alert on or block in IDS or IPS mode.
Snort is a long-running open-source intrusion detection and prevention system originally created by Martin Roesch in 1998 and now maintained by Cisco Talos. A Snort rule has a header (action, protocol, source/destination addresses and ports, direction) and a body of options (content, pcre, flow, sid, rev, classtype, reference) that describe payload patterns and metadata. Rules are organized into community, registered, and subscriber rule sets, distributed via the Talos rule feed, and consumed by Snort 2, Snort 3, and many commercial NGFW and IDS products. Defenders write custom rules to detect specific exploits, malware C2, and policy violations.
● Examples
- 01
A Snort rule alerting on outbound HTTP traffic that matches a known C2 user-agent string.
- 02
Subscribing to the Talos rule set to get same-day coverage of critical CVEs in Snort 3.
● Frequently asked questions
What is Snort Rule?
A signature in the Snort intrusion-detection rule language that describes network traffic patterns to alert on or block in IDS or IPS mode. It belongs to the Defense & Operations category of cybersecurity.
What does Snort Rule mean?
A signature in the Snort intrusion-detection rule language that describes network traffic patterns to alert on or block in IDS or IPS mode.
How does Snort Rule work?
Snort is a long-running open-source intrusion detection and prevention system originally created by Martin Roesch in 1998 and now maintained by Cisco Talos. A Snort rule has a header (action, protocol, source/destination addresses and ports, direction) and a body of options (content, pcre, flow, sid, rev, classtype, reference) that describe payload patterns and metadata. Rules are organized into community, registered, and subscriber rule sets, distributed via the Talos rule feed, and consumed by Snort 2, Snort 3, and many commercial NGFW and IDS products. Defenders write custom rules to detect specific exploits, malware C2, and policy violations.
How do you defend against Snort Rule?
Defences for Snort Rule typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Snort Rule?
Common alternative names include: Snort signature, Talos rule.
● Related terms
- network-security№ 547
Intrusion Detection System (IDS)
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
- network-security№ 548
Intrusion Prevention System (IPS)
An inline security control that detects malicious traffic and actively blocks, resets, or scrubs it in real time.
- network-security№ 1043
Signature-Based Detection
A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.
- defense-ops№ 1117
Suricata
An open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
- network-security№ 295
Deep Packet Inspection (DPI)
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
- network-security№ 724
Network-Based IDS (NIDS)
An intrusion-detection sensor that inspects traffic captured from a network segment to identify malicious patterns and policy violations.